Solved

Upgrading DC from 2003 to 2008

Posted on 2010-11-18
9
454 Views
Last Modified: 2012-08-14
I am trying to upgrade my domain controller to Windows 2008 from Windows 2003. I stood up the new server and promoted it to a DC in the same domain and promoted it to a global catalog server. I also installed DNS and transferred the FSMO roles to the 2008 server. Everything seemed to be fine, Active Directory and DNS were replicating to the new server..
When I tried to demote the old server, I received a caution that there was no other Active Directory DC's in the forest. I then tried shutting off the old DC and all computers lost connection to the domain... I also noticed that when I bring up \\NEWDC my SYSVOL and NETLOGON shares are missing..
I have never had this problem on any other domain so I was hoping I could find answers here.. Any help would be greatly appreciated..
0
Comment
Question by:NavyIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34169989
It sounds like the new server never fully replicated.
Can you run
"netdom /quest fsmo" to see what server holds the fsmo roles
then run dcdiag on both DCs and post the results.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34170010
you mistyped on the FSMO command Ken....I know what you meant though...and it happens to all of us

netdom /query fsmo
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34170022
sorry about that, thanks Mike
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 78

Expert Comment

by:arnold
ID: 34170762
As others pointed out, if sysvol/netlogon are inaccessible, the replication did not complete.  Check to see whether there are errors that prevent the replication.
One the replication completes and it does not prevent the DC from serving the domain, you should make sure that the IP of the new DC is included in the DNS/Name server settings pushed from the DHCP.
0
 

Author Comment

by:NavyIT
ID: 34173371
The new DC holds the following FSMO roles: Schema Master, Domain naming master, PDC, RID pool manager, Infrastructure master

I had to sanitize the dcdiag b/c this DC is on a classified network..
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC1
      Starting test: Connectivity
         ......................... DC1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC1
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\DC.domain, when we were trying to reach DC1.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... DC1 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC1 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC1 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC1 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC1 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=(removed),DC=(removed),DC=(removed),DC=(removed),DC=(removed)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=(removed),DC=(removed),DC=(removed),DC=(removed),DC=(removed)
         ......................... DC1 failed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\DC1\netlogon)
         [DC1] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... DC1 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC1 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC1 passed test Replications
      Starting test: RidManager
         ......................... DC1 passed test RidManager
      Starting test: Services
         ......................... DC1 passed test Services
      Starting test: SystemLog
         An Warning Event occurred.  EventID: 0x80009008
            Time Generated: 11/19/2010   05:55:05
            Event String:
            No suitable default server credential exists on this system. This wi
ll prevent server applications that expect to make use of the system default cre
dentials from accepting SSL connections. An example of such an application is th
e directory server. Applications that manage their own credentials, such as the
internet information server, are not affected by this.
         An Warning Event occurred.  EventID: 0x8000A008
            Time Generated: 11/19/2010   06:09:07
            Event String:
            The Security System has received an authentication request that coul
d not be decoded. The request has failed.
         An Error Event occurred.  EventID: 0x80000017
            Time Generated: 11/19/2010   06:14:25
            Event String:
            The KDC received invalid messages of type changepassword.
         ......................... DC1 failed test SystemLog
      Starting test: VerifyReferences
         ......................... DC1 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : (Domain)
      Starting test: CheckSDRefDom
         ......................... (Domain) passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... (Domain) passed test CrossRefValidation

   Running enterprise tests on : (FQDN)
      Starting test: LocatorCheck
         ......................... (FQDN) passed test
         LocatorCheck
      Starting test: Intersite
         ......................... (FQDN) passed test
         Intersite
0
 
LVL 78

Expert Comment

by:arnold
ID: 34173750
Depending on what limitation and how much data needs to be replicated it seems it time should get the replication done.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23337964.html

The computer machine password does not match, you may need to make sure it is correct on the new DC
http://support.microsoft.com/kb/325850

It seems that you transferred the roles soon after the new DC joined the domain?
Not sure whether it would be better to transfer the roles back to the windows 2003 system and let the data replicate. (make sure you have a current system state backup.)

http://www.petri.co.il/forums/showthread.php?t=24776
0
 

Accepted Solution

by:
NavyIT earned 0 total points
ID: 34188611
Thank you for all your help. The problem turned out to be a registry setting..
I set Burflags in
HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
to D4; Reset the Netlogon and NTFRS services; and the NETLOGON and SYSVOL shares showed up..

AD is replicating and I have no errors..
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34824938
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question